SENATOR VULAKOVICH, COMMUNICATIONS AND TECHNOLOGY, AS AMENDED, FEBRUARY 6, 2013

AN ACT

1Amending the act of December 22, 2005 (P.L.474, No.94), entitled2"An act providing for the notification of residents whose3personal information data was or may have been disclosed due4to a security system breach; and imposing penalties," further5providing for notification of breach<-; and providing for6investigation of breach involving a State agency, for7investigation of breach involving a county, school district8or municipality and for individuals responsible for breach.

9The General Assembly of the Commonwealth of Pennsylvania10hereby enacts as follows:

11Section 1. Section 3 of the act of December 22, 200512(P.L.474, No.94), known as the Breach of Personal Information13Notification Act, is amended by adding subsections to read:

16(a.1) Notification by State agency.--If a State agency is17the subject of a breach of security of the system, the State18agency shall provide notice of the breach of security of the

20130SB0114PN0367-1-

1system required under subsection (a) within seven days following2discovery of the breach. Notification shall be provided to the3Office of Attorney General within three business days following4discovery of the breach. <-A State agency under the Governor's5jurisdiction shall also provide notice of a breach of its6security system to the Governor's Office of Administration7within three business days following the discovery of the8breach. Notification shall occur regardless ofthe existence of9procedures and policies under section 7.

10(a.2) Notification by county, school district or11municipality.--If a county, school district or municipality is12the subject of a breach of security of the system, the county,13school district or municipality shall provide notice of the14breach of security of the system required under subsection (a)15within seven days following discovery of the breach.16Notification shall be provided to the district attorney in the17county in which the breach occurred within three business days18following discovery of the breach. Notification shall occur19regardless of the existence of procedures and policies under20section 7.

24(a) Investigation.--Upon receipt of notification under25section 3(a.1), the Office of Attorney General shall investigate26the breach. The investigation shall include a review of27procedures, a determination of the cause of the breach and28recommendations to the agency relating to prevention of similar29breaches in the future.

2Section 3.2. Investigation of breach involving a county, school3district or municipality.

4(a) Investigation.--Upon receipt of notification under5section 3(a.2), the district attorney shall investigate the6breach. The investigation shall include a review of procedures,7a determination of the cause of the breach and recommendations8to the county, school district or municipality relating to9prevention of similar breaches in the future.

10(b) Cost.--The cost of the investigation under section113(a.2) shall be paid by the county, school district or12municipality where the breach occurred.

13(c) Attorney General.--If the district attorney determines14that the breach of security of the system warrants an15investigation by the Office of Attorney General, the district16attorney may request that the Attorney General join or take over17the investigation.

19Notwithstanding any other provision of this act, if a breach20of security of the system was caused by an intentional act or21misuse of the system or intentional unauthorized access to the22system, an individual determined by a court to be responsible23for the breach may be ordered by the court to pay for the cost24of the investigation and the cost of repairing and restoring the25system.